| 17 April 2011
- Mind the Gap – bridging the security gap in Microsoft’s communication and collaboration platform to support secure file transfer
As the next wave of Microsoft products aim to define how people work, there is still one area in which SharePoint 2010, Outlook 2010 and OCS come up short - the ability to move files quickly and securely. Microsoft SharePoint, Outlook and OCS products offer collaboration and communications functionality to business users, including basic file transfer. However for today's businesses, this basic file transfer comes up short in size and security. SharePoint limits file transfer between internal and external recipients, Outlook best practices limits file attachments to 10MB, and OCS provides no tracking or security for file transfers.
To compete efficiently in today’s global economy, and to make the most of distributed teams, enterprises depend on online communication and collaboration.
The majority of these enterprises today use Microsoft communication and collaboration infrastructure software including Microsoft SharePoint, OCS, and Exchange.
Today, Microsoft Exchange is the most prevalent email server for business. For collaboration and content management, more than 100 million users use Microsoft SharePoint. The Microsoft Office Communications Server (OCS) rounds out Microsoft’s communication and collaboration solutions with a client that offers IM, telephony, voice/video conferencing, web conferencing, and other collaborative technologies.
Together, these Microsoft products make it easy for enterprise users to communicate and collaborate. Users can switch easily from email to chat to blogging to VOIP conferencing, using whatever tool best meets their collaboration needs at the moment.
However communication and collaboration is not limited to corporate boundaries and the out-of-the-box file transfer capabilities provided within Exchange, OCS and SharePoint do not provide a guaranteed secure delivery path to all users.
These products create security challenges for enterprises that need to collaborate and share information with external users such as government partners, customers, remote users, and mobile workers.
The challenge lies in the limitations these Microsoft solutions impose on file sharing. Enterprises need more flexibility, including the ability to transfer files securely to users outside the firewall who lack access to an internal SharePoint server. Enterprises need to be able to reach these users without setting up complex external server farms and punching holes in firewalls. Enterprises also need security and audit controls lacking in Exchange and OCS.
The security gap between file transfer capabilities and Communication and collaboration requirements
All three Microsoft communication and collaboration solutions—Exchange, SharePoint, and OCS—offer some means of file sharing:
SharePoint offers a secure data repository that enterprises can use to manage and protect confidential files. Users can upload files into SharePoint Document Libraries where only authorized users can access them.
OCS, like other IM applications, includes a file transfer mechanism that enables users to send a file to other users, such as colleagues participating in a chat or video session.
Exchange enables users to send files as email attachments. But these products, by themselves, don’t meet the need of today’s agile, highly distributed organizations. Today, internal users need to collaborate not only with one another, but also with a broad community of external users, including
- Remote users
- Foreign manufacturers
- Remote divisions and branch offices
- Law offices
- PR and marketing agencies
- Industry consortia
To collaborate effectively, internal users need a way to easily and securely transfer files to these external users. They need to bridge the security gap in their communication and collaboration infrastructure to reach larger, heterogeneous communities of collaborators.
Simply finding a way to transfer files isn’t enough–enterprises must ensure that file transfers are secure. IT managers and security officers need to audit file transfers and confirm that confidential data is not being sent to inappropriate parties. File transfers must comply with all applicable laws and industry regulations mandating security and audit trails for confidential communications.
Applicable laws and regulations might include Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Availability Act (HIPAA).
Let’s examine how the security gap affects each solution in the Microsoft communication and collaboration infrastructure: SharePoint, OCS, and Exchange.
The security gap in SharePoint
SharePoint’s security is based on authorized users (usually employees) checking files into and out of secured Document Libraries. To share files, internal users share links that work only within the SharePoint domain. These links don’t work for external users.
It’s rare for an IT department to give SharePoint accounts to external users for sharing information. It is extremely cumbersome and expensive to set up access and manage separate servers in the DMZ. Because external users are blocked from SharePoint access, internal SharePoint users cannot easily or securely transfer files to large numbers of users with whom they’re collaborating.
Dangerous workarounds and the risk to compliance
When users discover they can’t share their SharePoint files with external users, they frequently seek workarounds, regardless of the security risks. After all, one way or another, they need to share files. So users resort to emailing files through a personal webmail account, sign up for a free file-sharing service, or to copy the files to a USB memory stick or a CD ROM.
In all these cases, files are transferred in unsecure ways outside of the purview of the IT department. The enterprise loses control and oversight over the files.
Security risks abound. Email may be forwarded or intercepted. File-sharing services may leave confidential files vulnerable on servers. USB memory sticks and CD ROMs may be lost. If the files contain confidential data, such transfers may violate privacy laws and industry regulations.
An expensive alternative: Building an in-house file transfer server farm
To bridge this security gap, an enterprise can set up dedicated file servers with authentication systems for external users. IT can set up external-facing SharePoint servers and change network topologies to create a secure environment for external communications.
But this is expensive, time-consuming, and cumbersome—a real IT nightmare. Few enterprise IT departments would seriously consider taking on this sort of overhead, which involves capital expenses, considerable software licensing costs, and ongoing labor costs. The very idea of exposing confidential data sources is likely to make security and compliance officers uneasy. To mitigate one set of security risks, this approach creates another set, and requires a significant hardware investment as well.
The security gap in OCS
A different file transfer security gap affects communications through OCS. The risk here is that files can be readily transferred in unsecure ways and without IT knowledge. Sufficient encryption and authentication controls are not in place.
Microsoft Office Communications Server R2, for example, allows users to transfer files to any other user of OCS, a government partner or a user of PIC compatible IM client (such as Yahoo!, MSN, and AOL clients). Enterprise IT has to open ports on the firewalls for the information sharing in Microsoft OCS R2.
There’s no easy way for IT to ensure that files are being transferred securely and in compliance with company policies. The file transfers are unencrypted, unmonitored, and not auditable.
To protect, track, and manage files exchanged through ad hoc collaborations with employees and outside government partners, enterprises need to close the security gap in Microsoft’s communication and collaboration infrastructure. They need a secure file transfer solution that complements and extends the Microsoft infrastructure, enabling users to continue using the client and server programs they’re familiar with, while taking advantage of encryption, authentication, and other security mechanisms for protecting valuable data assets.
The security gap in exchange
A similar problem of unsecure and unsupervised file transfer exists for Microsoft Exchange. Sending file attachments is second nature for email users. The ease with which email can be used to send attachments has made it the most commonly used file transfer mechanism for business users today. While sending files through email is very convenient, email systems were never designed to handle file attachments efficiently or securely. The enormous volume of information being sent in email attachments has resulted in degraded email server performance, slower message delivery times and security concerns.
Because as much as 80% of email storage is files, addressing the performance and security issues related to file transfers is becoming increasingly critical for IT administrators and security officers.
A common practice in most organizations today is to limit the size of file attachments and place a quota on mailbox size. Unfortunately this solution for reducing the volume of files being shared via email has only increased the security concerns as business users seek unsecure IT workarounds. Use of USB sticks, unsecure FTP, P2P file sharing and shipping information on CDs via courier, as a workaround to email attachment limits, has led to many high profile data breaches.
Closing the security gap with secure file transfer
By deploying a secure file transfer solution to address the security and monitoring requirements relying on Microsoft for their communication and collaboration needs, Enterprise IT departments can ensure their users communicate and collaborate securely with both internal users and external users, while avoiding risky file-sharing practices, and avoid expensive deployments of special server farms.
According to Gartner Senior Research Analyst, Thomas Skybakmoen, “integration of secure file transfer capabilities with desktop applications makes file transfer more accessible to business users, enabling enterprises to increase data security and prevent costly data breaches. Expanded availability and accessibility of secure file transfer is fuelling the growth of the managed file transfer market."
Yorgen Edholm, president and CEO of Accellion believes that quick and easy access to information is essential for business collaboration, but protection of intellectual property and meeting compliance requirements is crucial. By integrating a secure file transfer solution across Microsoft’s Business Productivity Infrastructure, enterprise organizations can now protect their intellectual property, achieve compliance and improve workflow efficiency by providing users with an easily accessible way to move confidential digital information.
At Thomson Reuters SharePoint is used as their document repository for storing all of their product information. The company has a large number of documents that are typically sent to customers, downloaded and then sent via email. The SharePoint plug-in installed at Thomson Reuters allows them to send these files very efficiently and securely through their virtual file transfer appliance, and more importantly, allows them to keep these files out of the e-mail system and off of our employees’ computers.”
A secure file transfer solution is no longer a luxury, but rather a necessity. The IT department has a responsibility to select and provide a solution that meets the security and compliance requirements and fits into the regular workflow of business.
A Secure File Transfer solution must be able to offer Enterprises the following benefits:
- Secure file transfer with internal users, as well as partners, customers, and other authorized external users.
- Real-time, on-demand file sharing—useful for document reviews and other collaborative processes.
- A single solution that extends all Microsoft communication and collaboration products, including SharePoint, OCS R2, and Exchange.
- Dashboard controls and reporting enabling IT managers and security officers
- to track the distribution of files.
- Controls for achieving compliance with SOX, HIPAA, GLBA, and internal security guidelines.
- File transfer security that extends beyond the enterprise firewall, and supports users of non-Microsoft, PIC-compatible clients.
- Return receipts through email so that users can confirm that their files have been received.
ABOUT PAUL STEINER, Managing Director, Europe, Middle East & Africa
Mr. Steiner joined Accellion in 2001 as Senior Vice President-Europe. Prior to joining Accellion he held positions as Vice President of International-Europe at AboveNet Communications, Inc. and Managing Director of Europe, Africa, Middle East and India for NetCom. As a management consultant with McKinsey & Co., in Munich, Germany, Mr. Steiner’s clients included Daimler Benz, Europe’s largest copper refinery, and leading German firms in banking, insurance, retail and publishing. Mr. Steiner also co-founded NETWAY in 1995, one of the first ISPs which grew to be the leading Austrian ISP before being sold to UTA/Tele 2 in 2001.
Mr. Steiner completed a PhD and MSc in Petroleum Engineering from Leoben Mining University, and an MBA from The University of Michigan.